一、基于路由的×××拓扑
二、基于路由的×××
-------------------------------------------------------------------------------------------
interfaces {
em0 {
unit 0 {
family inet {
address 202.0.0.2/24;
}
}
}
em1 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
st0 {
unit 0 {
family inet {
address 172.16.0.2/24;
}
}
}
}
-------------------------------------------------------------------------------------------
routing-options {
static {
route 0.0.0.0/0 next-hop 202.0.0.1;
route 10.0.0.0/24 next-hop st0.0;
}
}
-------------------------------------------------------------------------------------------
security {
-------------------------------------------------------------------------------------------
ike {
proposal ike-phase1-proposal {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-128-cbc;
}
policy ike-phase-policy {
mode main;
proposals ike-phase1-proposal;
pre-shared-key ascii-text "$9$n9t19t0EclLxdBIxdbsJZn/C"; ## SECRET-DATA
}
gateway gw-sunnyvale {
ike-policy ike-phase-policy;
address 202.0.0.1;
external-interface em0.0;
}
}
-------------------------------------------------------------------------------------------
ipsec {
proposal ipse-phase2-proposal {
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-128-cbc;
}
policy ipsec-phase2-policy {
perfect-forward-secrecy {
keys group2;
}
proposals ipse-phase2-proposal;
}
*** ike-***-sunnyvale {
bind-interface st0.0;
ike {
gateway gw-sunnyvale;
ipsec-policy ipsec-phase2-policy;
}
}
}
-------------------------------------------------------------------------------------------
address-book {
book1 {
address chicago 192.168.0.0/24;
address sunnyvale 10.0.0.0/24;
attach {
zone trunst;
zone untrunst;
}
}
}
-------------------------------------------------------------------------------------------
flow {
tcp-mss {
ipsec-*** {
mss 1350;
}
}
}
-------------------------------------------------------------------------------------------
policies {
from-zone trunst to-zone ***-sunnyvale {
policy ***-tr-sun {
match {
source-address chicago;
destination-address sun;
application any;
}
then {
permit;
}
}
}
from-zone ***-sunnyvale to-zone trunst {
policy ***-sun-tr {
match {
source-address sunnyvale;
destination-address chicago;
application any;
}
then {
permit;
}
}
}
}
-------------------------------------------------------------------------------------------
zones {
security-zone untrunst {
host-inbound-traffic {
system-services {
ike;
}
}
}
security-zone trunst {
host-inbound-traffic {
system-services {
all;
}
}
}
security-zone ***-sunnyvale {
interfaces {
st0.0;
}
}
}
}
转载于:https://blog.51cto.com/theelephant/1544205
扫一扫
1731
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
